PRIVACY POLICY

This privacy policy (“Privacy Policy”) applies to personal data that I collect from you as a customer (“you” or “your”). It provides information on what data I collect, why I collect the data, how it is used and the lawful basis on which your personal data is processed, and what your rights are under the applicable data protection and privacy laws, including the General Data Protection Regulation (“GDPR”).

1. Who am I

I am Emma Marshall Photography (trading as I shall take the heart), 24 Graham Road, London E8 1BZ, UK I am the data controller responsible for your personal data.

2. What do I collect

I collect and process the following information provided by you in the course of your initial enquiry and the formation, operation and conclusion of our contract for photography services:

Personal information: This includes your name, address, e-mail address; phone number; gender and date of birth; country, as well as the names, dates of birth, gender and other details about your family members and other participants in a photography session, together with any other information that you elect to provide to me.
Payment Information: Information about your debit/credit card and bank account information provided by you to my payment service providers, that I require for the purpose of processing payment for my goods and services.
Other Information: Personal details you choose to give when corresponding with me by phone or e-mail or in person.

In providing my services I create photographs which may identify you, your family members and other participants and that may be considered personal data. My photographs may be produced in print and digital format. You are responsible for ensuring that all participants in a photograph session have been provided with a copy of this privacy policy.

Personal data will be processed in order to perform my contract with you, fulfil legal obligations and for legitimate interests, as described below.

3. How I use your personal information

I use your personal information in the following ways:

to provide you with my services and to create and deliver the products you have requested and contact you regarding your use of the services. Such use is necessary to respond to or implement your request and for the performance of the contract betIen you and me.
as necessary for certain legitimate business interests, which include the following:
- where I am asked to deal with any enquiries or complaints you make;
- to provide postal communications which I think will be of interest to you;
- if you ask me to delete your data or to be removed from my marketing lists and I am required to fulfil your request, to keep basic data to identify you and prevent further unwanted processing; and
- to (a) comply with legal obligations, (b) respond to requests from competent authorities; (b) protect my operations; (c) protect my rights, safety or property, and/or that of my affiliated businesses, you or others; and (d) enforce or defend legal rights, or prevent damage.
With your consent, I may use your photographs to promote and advertise my business, including (a) in my studio and in my printed publications, presentations, promotional materials (including leaflets, brochures, stickers, bookmarks, posters, factsheets, calendars); (b) on my website and other digital advertising of my services; and (c) in social media forums such as Instagram, Pinterest, LinkedIn, TikTok and Facebook.
I may provide you with information about goods or services, events and other promotions I feel may interest you. I will contact you by email only with your consent, if this was given at the time you provided me with the personal data.

I may use your personal data for other reasons compatible with the purposes of the data processing outlined in this Privacy Policy. There may be other occasions where personal data is processed for unrelated purposes which will be explained at that time upon notice to you. If required, I will ask for your consent to any such further processing.

As used in this Privacy Policy, “legitimate interests” means my interests in conducting and managing my business and fulfilling my obligations under my contract with you. This Privacy Notice describes when I process personal data for those legitimate interests, what these interests are and your rights. When I process your personal data for my legitimate interests, I make sure to consider and balance any potential impact on you, and your rights under data protection laws. My legitimate interests do not automatically override your interests. I will not use your personal data for activities where my interests are overridden by the impact on you, unless I have your consent or those activities are otherwise required or permitted by law. You have the right to object at any time to processing of your personal data that is based on my legitimate interests, on grounds relating to your particular situation (for more information on your rights, please see “Your Data Protection Rights” section below).

You acknowledge and agree that where provision of personal data is necessary to ensure compliance with legal obligations or to perform my contract with you, failure to provide relevant personal data for the above mentioned purposes may prevent me providing my goods and services to you.

4. Disclosure of your information

I share your personal data with third parties in the following situations:

Service Providers: I sometimes engage selected third parties who act on my behalf to support my operations, such as (i) card processing or payment services (see the section below headed “Payment Information”), (ii) IT suppliers and contractors (e.g. data hosting providers or delivery partners) as necessary to provide IT support and enable me to provide my goods/services, and (iii) providers of specialist services, including retouching, printers, framers and book binders. Pursuant to my instructions, these parties may access, process or store your personal data in the course of performing their duties to me and solely in order to perform the services I have hired them to provide.
Business Transfers: if I sell my business or my company assets are acquired by a third party personal data held by me about my customers may be one of the transferred assets.
Administrative and Legal Reasons: if I need to disclose your personal data (i) to comply with a legal obligation and/or judicial or regulatory proceedings, a court order or other legal process. (ii) to enforce my Terms & Conditions or other applicable contract terms that you are subject to; (iii) to protect me, my members or contractors against loss or damage. This may include (without limit) exchanging information with the police, courts or law enforcement organisations.

5. Payment information

Any credit/debit card payments and other payments you make will be processed by my third party payment providers and the payment data you submit will be securely stored and encrypted by my payment service providers using up to date industry standards. Please note that I do not ourselves directly process or store the debit/credit card data that you submit.

6. Data transfers

Your personal data will be transferred to and stored in countries other than the country in which the information was originally collected, including the United States and other destinations outside the United Kingdom to my service providers for the purposes described above.

Please note that the countries concerned may not provide the same legal standards for protection of your personal data that you have in the United Kingdom. Where I transfer your personal data to countries outside of the UK I will take all steps to ensure that your personal data continue to be protected. I will implement appropriate safeguards for the transfer of personal data to my service providers in accordance with the applicable law, such as relying on my service providers’ Privacy Shield certification or implementing standard contractual clauses for data transfers. If you would like to receive more information on the safeguards that I implement, including copies of relevant data transfer contracts, please contact me as indicated below.

7. Data retention

Personal data will not be held for longer than necessary with regard to the purposes of the data processing outlined in this Privacy Policy, subject to any retention periods provided by applicable laws and regulations. I apply criteria to determine the appropriate periods for retaining personal data depending on its purpose, nature, and sensitivity and any retention periods provided by applicable laws and regulations. For example, I retain your personal data for 5 years after your photography session and I retain the digital files of your photographs for a minimum period of 10 years. Please note, information and digital files may be deleted within those timescales depending upon system capacity. When you consent to receive marketing communications, I will keep your data until you unsubscribe. Upon expiry of the applicable retention period I will securely destroy your personal data in accordance with applicable laws and regulations.

8. Your data protection rights

Certain applicable data protection laws give you specific rights in relation to your personal data. In particular, you have the following rights in relation to your personal data:

Right of access: If you ask me, I will confirm whether I am processing your personal data and, if so, provide you with a copy of that personal data along with certain other details.
Right to rectification: If your personal data is inaccurate or incomplete, you are entitled to ask that I correct or complete it. If I shared your personal data with others, I will tell them about the correction where possible.
Right to erasure: You may ask me to delete or remove your personal data, such as where my legal basis for the processing is your consent and you withdraw consent. I may continue processing personal data where this is necessary for a legitimate interest in doing so, as described in this Privacy Policy.
Right to restrict processing: You may ask me to restrict or ‘block’ the processing of your personal data in certain circumstances, such as where you contest the accuracy of the data or object to me processing it. I will tell you before I lift any restriction on processing.
Right to data portability: You have the right to obtain your personal data from me that you consented to give me or that was provided to me as necessary in connection with my contract with you. I will give you your personal data in a structured, commonly used and machine-readable format. You may reuse it elsewhere.
Right to object: You may ask me at any time to stop processing your personal data on grounds relating to your particular situation, and I will do so:
- If I am relying on a legitimate interest to process your personal data -- unless I demonstrate compelling legitimate grounds for the processing or
- If I am processing your personal data for direct marketing.
Right to withdraw consent: If I rely on your consent to process your personal data, you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing of your data before I received notice that you wished to withdraw your consent.
Right to lodge a complaint with the data protection authority: If you have a concern about my privacy practices, including the way I handled your personal data, you can report it to the UK data protection authority (the Information Commissioner’s Office or ICO) using the following link. https://ico.org.uk/make-a-complaint

If you wish to exercise any of these rights please contact me as described in the “Contact” section below. I may also need to ask you for further information to verify your identity before I can respond to any request.